/Subpage_toppicture.gif)
IT security: Do you have control over the users’ morals, ethics, attitudes and behaviour? |
/Printer_Icon.gif){kind=icon} |
Travellers can more than likely nod in recognition of the situation they meet in the airport. For the majority, it is often the start of a good holiday. But the bliss and excitement is interrupted when the traveller, like some criminal, is asked to remove his shoes and belt and then throw away his obviously just purchased soft drink.
The level of security has been increased at the airports' security and check-in areas - this tightening of security automatically affects the traveller. But the reason why some people feel treated unjustly and harassed is because they do not understand why they need to be part of this "exaggerated" security. Some simply think that they are within their rights to feel insulted or behave in a provocative manner. They feel that they are having security forced upon them - without understanding why.
Another situation which many probably know from their daily life is when we now and again are disturbed by a car alarm. But we have, in most cases, become used to this being a false alarm; that is, the user who has made a mistake and therefore takes no notice of the car alarm. So these are two kinds of reactions to security; the reactive and the passive.
Reactions from the physical world are also being transferred to the digital world. Therefore, behaviour and attitude often become characterised by dissatisfaction because they collide with the understanding of the necessity for increased security. That employees can suddenly no longer download or stream media files can entail that their behaviour changes to being one of opposition. In worse case, the employees ignore the company's restrictions or remove them in order to be able to download what they want - not exactly an unknown phenomenon. Many companies can probably also recognise carelessness with passwords - where users borrow and use others' passwords - precisely the same as in the physical world where employees lend their access cards to others. The result is that security breaks down.
If morals, ethics and understanding within IT security were in place, then a large portion of the many spam mails, which are sent out daily, could be avoided. If the employees understood what it costs in resources - when they send a joke or a funny picture to their entire mailing list - then I believe that very few mails would be sent in this way. Besides occupying a large part of the company's broadband and thereby delaying the necessary traffic, there is also, purely morally and ethically, something fundamentally very wrong. If it was really appropriate to communicate jokes and pictures in this way - why don't the employees then send them by mail with the company's logo and stamp on them? Funnily enough, the employees would never dream of doing this because the understanding and the morals are two different things - or are they? Because this is precisely the same thing they do digitally.
Combine software with user training
Unfortunately, no security system exists that works as intended if the users are unmotivated and do not know about the purpose and the logic of security. This is where many companies have a hole in their IT security. Typically, the companies invest in very expensive security solutions, but forget about the training of the employees. And if the employees do not understand why the security is necessary, then they often become unmotivated and consider the security as being a hindrance to their work.
An easy, static solution which can remove all problems in terms of security will never come to exist. In addition to the security concept itself - e.g. spam filters, antivirus, intrusion detection, etc., security fundamentally concerns four things:
Morals, which we all have or should have. Without morals we could have the world's best security solution. If morals don't want that - we will never have the desired security.
Behaviour, which reveals our way of doing things. Bad security behaviour will challenge any security system, often in the capacity of a trusted employee who has access to basically everything.
Attitude, which is a basic element of our personality. If we have no attitudes or a bad attitude, then there is no security system that could function with us as users.
Ethics, which are fundamentally a set of rules for what the company will accept within given frameworks. Without ethical rules, everything would be allowed.
IT security is about us humans, our consciousness, our behaviour and in particular, about a serious adaptation. So when expensive security solutions are to be invested in, remember to correspondingly invest in attitude adaptation and the training of employees.